A malicious extension for the Chrome, Brave, and Opera browsers is used to steal cryptocurrency from victims as a part of a recent Satacom campaign discovered by Kaspersky. Nearly 30,000 users were at risk of being targeted during the last two months. The attackers have implemented a range of malicious actions to ensure that the extension remains undetected while the unsuspecting user browses the targeted cryptocurrency exchange websites, including Coinbase and Binance. In addition, the extension enables threat actors to conceal any transaction notifications sent to the victim by these websites to stealthily steal their cryptocurrency. A detailed report on this campaign is available on Securelist.
The recent campaign is linked to the Satacom downloader, a notorious malware family active since 2019 and mainly delivered via malvertising placed on third-party websites. The malicious links or ads redirect users to fake file-sharing services and other malicious pages offering to download an archive containing the Satacom Downloader. In the case of this recent campaign, it downloads the malicious browser extension.
The latest campaign installs a browser extension that steals cryptocurrency and conceals its activity.
The campaign's primary objective is to steal bitcoin (BTC) from victims' accounts by performing web injections to targeted cryptocurrency websites. However, the malware can be easily modified to target other cryptocurrencies. The malware attempts to achieve its objective by installing an extension for Chromium-based browsers – such as Chrome, Brave and Opera – and targeting individual users holding cryptocurrency worldwide. Kaspersky telemetry data reveals that during April and May, nearly 30,000 individuals were at risk of being targeted by the campaign. In the last two months, the countries most affected by this threat were Brazil, Mexico, Algeria, Turkey, India, Vietnam, and Indonesia.
Country | Affected users |
Brazil | 3996 |
Mexico | 2056 |
Algeria | 1790 |
Turkey | 1418 |
India | 1127 |
Vietnam | 1010 |
Indonesia | 1003 |
The malicious extension performs browser manipulations while the user is surfing targeted cryptocurrency exchange websites. The campaign targets Coinbase, Bybit, Kucoin, Huobi and Binance users. Besides stealing cryptocurrency, the extension carries out additional actions to conceal its primary activity. For instance, it hides email confirmations of transactions and modifies existing email threads from cryptocurrency websites to create fake threads that resemble the real ones.
Fake email thread template
In this campaign, the threat actors don't need to find ways to sneak into official extension stores since they use Satacom downloader for delivery. The initial infection begins with a ZIP archive file, which is downloaded from a website that seems to mimic software portals allowing the user to download desired (often cracked) software for free. Satacom usually downloads various binaries onto the victim’s machine. This time Kaspersky researchers observed a PowerShell script that performs the installation of a malicious browser extension.
Then, a series of malicious actions allow the extension to run stealthily while the user is browsing the Internet. As a result, threat actors become capable of transferring the BTC from the victim’s wallet to their wallet using web injections.
"Cybercriminals have enhanced the extension by adding the ability to control it through script changes. This means that they can easily start targeting other cryptocurrencies. Moreover, since the extension is browser-based, it can target Windows, Linux and macOS platforms. As a precaution, users are advised to regularly check their online accounts for any suspicious activity and use reliable security solutions to protect themselves from threats like these," said Haim Zigel, malware analyst at Kaspersky.
Detailed technical analysis of the malware is available on Securelist.
To maximise the benefits of using cryptocurrency safely, Kaspersky experts also recommend:
- Be cautious of phishing scams: Scammers often use phishing emails or fake websites to trick people into revealing their login credentials or private keys. Always double-check the URL of the website and don't click on any suspicious links.
- Don’t share your private keys: Your private keys unlock your cryptocurrency wallet. Keep them private and never share them with anyone.
- Educate yourself: Stay informed about the latest cyber threats and best practices to keep your cryptocurrency safe. The more you know about protecting yourself, the better equipped you’ll be to prevent cyber-attacks.
- Research before investing: Before investing in any cryptocurrency, research the project and the team behind it thoroughly. Check the project’s website, white paper, and social media channels to ensure that the project is legitimate.
- Use security solutions: A reliable security solution will protect your devices from various types of threats. Kaspersky Premium prevents all known and unknown cryptocurrency fraud, as well as unauthorised use of your computer's processing power to mine cryptocurrency.